3.2 Create SSL/TLS or SSH Session Documents

When you create a Reflection session document, configure it to use the security protocols your organization requires.

This connection type

Supports these protocols

3270 terminal or printer

5250 terminal or printer

SSL/TLS, SOCKS

6530 terminal*

SSL/TLS, Secure Shell

VT terminal or FTP Client

SSL/TLS, Secure Shell, Kerberos, SOCKS, HTTP

3.2.1 Digital Certificates and Reflection Certificate Manager

You can configure certificate authentication for both Secure Shell and SSL/TLS connections.

  • All SSL/TLS sessions require certificates for host authentication; without the necessary certificate, you cannot make a host connection. Depending on the host configuration, you may also need to install certificates for user authentication.

  • Secure Shell sessions typically require both host and user authentication. Certificates can be used for either host and/or user authentication, but are not required by default.

Certificate authentication solves some of the problems presented by public key authentication. For example, for host public key authentication, the system administrator must either distribute host keys for every server to each client's known hosts store, or count on client users to confirm the host identity correctly when they connect to an unknown host. When certificates are used for host authentication, a single CA root certificate can be used to authenticate multiple hosts. In many cases the required certificate is already available in the Windows certificate store.

Digital certificates are maintained on your computer in certificate stores. A certificate store contains the certificates you use to confirm the identity of remote parties, and may also contain personal certificates, which you use to identify yourself to remote parties. Personal certificates are associated with a private key on your computer.

You can use digital certificates located in all of the following stores:

  • The Windows Certificate Store

    This store can be used by a number of applications, web browsers, and mail clients. Some certificates in this store are included when you install the Windows operating system. Others may be added when you connect to internet sites and establish trust, when you install software, or when you receive an encrypted or digitally signed e-mail. You can also import certificates manually into your Windows store. Manage the certificates in this store using the Windows Certificate Manager.

  • The Reflection Certificate Manager Store

    This store is used only by Micro Focus applications. To add certificates to this store, you must import them manually. You can import certificates from files and also use certificates on hardware tokens such as smart cards.

  • Centralized Management Server

    The Centralized Management Server provides an administrator the means to centrally manage, secure, and monitor users’ access to host applications. Administrators can deploy centrally managed sessions and certificates to the user. Digital certificates through the centralized management server can only be enabled if the centralized management server is configured to provide users’ access to host applications.

Reflection Certificate Manager

Use the Reflection Certificate Manager to manage certificates for use exclusively by Reflection. You can deploy certificates and settings per-user or for all users of the system.

  • User-specific location: [PersonalFolder] The full path to the Documents folder for the current user. The default is C:\Users\username\Documents. \Micro Focus\Reflection\.pki

  • Global location: [CommonAppDataFolder] The full path to application data for all users. The default is C:\ProgramData. \Micro Focus\Reflection\.pki

NOTE:These settings are not included in compound documents.

The procedures for opening the Certificate Manager depend on your product and session type.

To open the Reflection Certificate manager from the Secure Shell Settings dialog box

  1. Open the Reflection Secure Shell Settings dialog box.

  2. On the PKI tab, click Reflection Certificate Manager.

To open the Reflection Certificate manager from the Security Properties dialog box

  1. Open the Security Properties dialog box.

  2. On the SSL/TLS tab, select Use SSL/TLS Security.

  3. Click Configure PKI.

  4. Click Reflection Certificate Manager.

3.2.2 Set up SSL/TLS Connections

SSL/TLS connections use digital certificates for authentication. Depending on how your certificate was issued and the way your host is configured, you may need to install a host and/or personal certificate before you can connect using SSL/TLS.

  • In 3270, 5250, and VT sessions, SSL/TLS connection settings are saved to the session document.

  • In the FTP Client, SSL/TLS connection settings are saved to the FTP Client settings file ( *.rfw).

To configure SSL/TLS in 3270, 5250, or VT terminal sessions

  1. Open the Create New Document dialog box, select a session template and click Create.

  2. Select Configure additional settings, and then click OK.

  3. Do one of the following:

    • If you are setting up a 3270 and 5250 terminal session, under Host Connection, click Set Up Connection Security. Then, in the Configure Advanced Connection Settings dialog box, click Security Settings.

    • If you are setting up a VT terminal session, click Configure Connection Settings, confirm Network Connection Type is set to Telnet, and click the Back arrow button. Then, under Host Connection, click Set Up Connection Security.

  4. From the Security Properties dialog box, select the SSL/TLS tab, and select Use SSL/TLS security.

  5. Click Configure PKI to configure certificate settings.

  6. To lock down these settings, see Control Access to “Lock Down” Settings and Controls.

To configure SSL/TLS in FTP Client Sessions

  1. Start the FTP Client.

  2. In the Connect to Site dialog box, select a site and click Security.

  3. Click the SSL/TLS tab and select Use SSL/TLS security.

  4. Click Configure PKI to configure certificate settings.

3.2.3 Set up Secure Shell Connections

Secure Shell connections are available for VT terminal sessions and to configure SFTP transfers using the FTP Client.

By default, Secure Shell connections use public key authentication for the host and username/password authentication for the user. If you configure non-default settings, they are saved for each host (or ssh configuration scheme) to the ssh configuration file. This file is used for all connections (VT sessions and the FTP Client). You can deploy these settings per-user or for all users of the system. These settings are not included in compound documents.

  • User-specific configuration: [PersonalFolder] The full path to the Documents folder for the current user. The default is C:\Users\username\Documents. \Micro Focus\Reflection\.ssh\config

  • Global configuration: [CommonAppDataFolder] The full path to application data for all users. The default is C:\ProgramData. \Micro Focus\Reflection\ssh_config

To configure a secure terminal session using Secure Shell (SSH)

  1. Open the Create New Document dialog box, select the VT Terminal template and click Create

  2. In the Create New dialog box, under Connection, select Secure Shell and click OK.

  3. Click OK.

  4. To lock down these settings, see Control Access to “Lock Down” Settings and Controls.

To configure non-default Secure Shell settings

  1. Open a session that you have configured to use Secure Shell. Disconnect if you are connected.

  2. Open the Document Settings dialog box.

  3. Under Host Connection, click Set up Connection Security.

  4. In the Reflection Secure Shell Settings dialog box, configure any non-default settings and then click OK.

    When you click OK, changes to the default settings are saved in the Secure Shell config file in [PersonalFolder] The full path to the Documents folder for the current user. The default is C:\Users\username\Documents. \Micro Focus\Reflection\.ssh

  5. To lock down these settings, see Control Access to “Lock Down” Settings and Controls.

To configure username and password prompts to appear in the terminal window

  1. Open a session that you have configured to use Secure Shell. Disconnect if you are connected.

  2. Under Host Connection, click Configure Connection Settings.

  3. Under Connection Options, select Handle SSH user authentication in terminal window.

  4. To lock down these settings, see Control Access to “Lock Down” Settings and Controls.

Known Hosts

Host authentication (performed with public key authentication) enables the Secure Shell client to reliably confirm the identity of the Secure Shell server. If the host public key is not installed on the client, the host fingerprint is displayed and users are prompted to contact the system administrator to verify the fingerprint. This confirmation prevents risk of a "man-in-the-middle" attack, in which another server poses as the host. If you select Always in response to this prompt, the host key is saved in a file called known_hosts, which is created in [PersonalFolder] The full path to the Documents folder for the current user. The default is C:\Users\username\Documents. \Micro Focus\Reflection\.ssh. After the host key is added, Micro Focus Reflection Desktop can authenticate the server without requiring user confirmation, and the unknown host prompt does not appear again.

To prevent end-users from seeing the unknown host message you can deploy a known hosts file per-user or for all users of the system. These settings are not included in compound documents

  • User-specific file: [PersonalFolder] The full path to the Documents folder for the current user. The default is C:\Users\username\Documents. \Micro Focus\Reflection\.ssh\known_hosts

  • Global file: [CommonAppDataFolder] The full path to application data for all users. The default is C:\ProgramData. \ Micro Focus\Reflection\ssh_known_hosts